Inside Telecommunications: 4Q 2011 trends

Regulatory trends and their potential impacts

Competing voices in the debate on piracy controls

Efforts to limit illegal file sharing are under way in many countries, yet the range of stakeholders involved means that debate often continues at the expense of policy consensus. Nevertheless, there have been developments on a number of fronts in recent months, suggesting that approaches to piracy are evolving quickly.

Solutions cannot come too quickly — in 2008, the cost of digital piracy was estimated at between US$30b and US$75b for G20 economies7.

In a test case in October, UK incumbent BT was ordered to block access to the pirate site Newzbin2 after six major Hollywood film studios brought the case to the High Court. The judge referenced European law that rejects ISPs' claims that they have no responsibility to act against copyright infringement and BT was also ordered to carry the costs for implementing the web block — a move that it estimates at £5000 and £100 for subsequent notifications8.

The following month, UK music industry trade body BPI asked for BT to block Pirate Bay — the world's largest BitTorrent site — voluntarily, while Dutch ISPs Ziggo and XS4ALL were ordered to do the same by a court in The Hague in January 2012

Bay — the world's largest BitTorrent site — voluntarily, while Dutch ISPs Ziggo and XS4ALL were ordered to do the same by a court in The Hague in January 2012

While the Newzbin2 case certainly represents a landmark, court orders remain slow and expensive. At the same time, the wider issue of creative industries and ISPs agreeing on how to tackle illegal file sharing sites remains a thorny one.

Other regions are seeing similar initiatives: in November, five Australian ISPs backed a new policy to send out education notices" to users suspected of accessing pirated content9. If three warnings are received within 12 months, the customers' details can be passed on to copyright holders, who would then be able to launch proceedings against them.

Looking beyond dialogue with end users, the practicalities of blocking website access present additional problems. Indeed, the very pace of technology change is seen as an obstacle to copyright enforcement — many industry watchers see relevant rules condemned to play catch up in the online world:

Alternative solutions do exist to confront pirated material. While the onus currently lies with ISPs to varying degrees, credit card companies and web players are seen by some as content guardians.

Nevertheless, consensus appears even harder to achieve in the technology sector. In the US, a host of leading websites strongly oppose the Stop Online Piracy Act in the House and Protect IP Act in the Senate, which want websites and search engines to share responsibility for cracking down on piracy. However, the costs and liabilities involved are seen as unsupportable.

Privacy remains a significant issue for many telecommunications operators and poses ever-increasing challenges10. This should come as no surprise; operators capture and hold enormous amounts of data on their customers.

Furthermore, factors such as new services, the continued digitization of information, as well as more accessible and ever cheaper digital storage, have only increased the amount — and level of sensitivity — of the personal data operators accumulate. More generally, as operators invest in building deeper two-way customer relationships, their growing dependency on customer data will increase the associated risks.

While operators need a better understanding of customer data to serve them and build more suitable propositions and pricing, compliance and regulations — as well as customer opinions and perceptions — may restrict that.

Furthermore, this data is often dispersed in — or accessible through — a plethora of systems.

Having more than 100 different applications that provide access to the data is no better. There is a genuine need for many different people to have access to this data in order to provide the required services.

Increasing privacy regulations

As the need for better privacy management expands, countries continue to adopt stronger regulations to address the growing risks and increased privacy concerns. These new, and often stricter, rules can have a real impact. Let's look at two examples:

In view of operational excellence, many operators are or have been centralizing or outsourcing activities such as call centers, billing and fraud management, and IT operations. However, such projects may require personal information to cross geographic boundaries, which could be forbidden or subject to specific and sometimes contradictory regulations.

Breach notification requirements are proliferating in countries around the world11. This means that operators will need to openly notify customers whose personal data has been, or is likely to have been, compromised. The biggest impact of a privacy breach is not the fine for noncompliance. It's the impact on reputation.

So where are the risks?

We typically see three main sources of privacy breaches with telecom operators:

Unintentionally overstepping the boundaries

How far can operators go in using customer information for their own marketing and selling purposes? The answer is unclear. Some operators are already — though sometimes unknowingly — overstepping the boundaries of customer tolerance and/or privacy regulation. Since customer information has tremendous value to third parties, some operators, such as Verizon Wireless, have changed their privacy policies to allow certain information to be sold, albeit in an anonymously aggregated manner.

For example, in Verizon Wireless' case, the company may now record customers' location data and web browsing histories, combine them with other personal information such as age and gender, aggregate this with millions of other customers' data, and sell it on an anonymous basis. Whether customers accept or are even aware of these practices is uncertai

Accidental breaches

This type of breach involves accidental loss or sharing of personal data. This could be through the loss of a laptop or by mistakenly providing personal data of one customer to another customer.

Deliberate privacy breaches

Highly sensitive information is a target for hackers to sell or to abuse. High-profile cyber-crime intrusions come to mind. The vast number of intrusions in 2011 has shown this threat is real. However, breaches also come from internal sources — for example, a customer care employee providing call details about the wife of a friend to help his divorce case.

11Many US states already have breach notification requirements in place, but such requirements are also included in the draft proposal for the new General Data Protection Regulation, as well as in the latest amendments to the existing e-privacy directive (under Article 4 of the amended e-privacy directive — Dir. 2009/136/EC, amending Dir. 2002/58/EC — electronic communications providers must report personal data breaches without delay to the competent national authority, and to subscribers or individuals when the breach is likely to adversely affect their personal data).

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.